Slashdot Mirror
Dumpster-Diving for Your Identity
The NYT magazine has a story titled Dumpster-Diving for Your Identity - the author interviews two convicted identity thieves talking about their methods and successes.
← Back to Stories (view on slashdot.org)
I've always taken a few moments to shred my bank machine receipts when I get them. Since sorting for recycling takes time anyway, I've always gone through it and shredded anything remotely useful, long before the notion of "identity theft" became mainstream.
Honestly, if people would just be a bit more paranoid, and not worry about being casual with risk as a fashion statement, these guys would have a lot less to go on.
That's with regard to personal papers. Businesses should know better, and should get their asses sued for failing to protect sensitive information that was entrusted to them by their clients.
I'd argue that was nothing but a slap on the wrist, and not much of a deterrent to future fraudsters.
Outside of a dog, a book is man's best friend. Inside a dog it's too dark to read. - Groucho Marx
Im not saying Im agreeing with the parent post, but if you do, please remember that certain papers must be filed by you for a period of up to 10 years.. so you might want to do what most people in this situation does: buy a small file-safe... othervise you might end up having troubles with the IRS, and we dont want that, do we?
Quick question...since personal shredders are only $30, why does your company use the shredding service at all? It would probably be cheaper to outfit every employee (or at least every department) with their own shredder than pay for 2 months of that service, when you empty your personal shredders, just use ordinary recycling for the shreds.
Jason
ProfQuotes
That's one of the reasons the military and (some) government agencies have adopted standarized protocols to deal with this kind of stuff and generally are quick to reprimand those who violate policy.
Many security problems these days have to do with the fact that people for some reason refuse to apply common sense -- requiring people to wear ID tags at all times and conducting thorough background checks is not going to do any good if you just dispose of confidential documents into some backyard alley dumpster.
The cost of having every employee or department having their own shredder isn't restricted to the initial $30/seat investment. There's also the time involved in shredding documents.
Probably not a good example, but:
I once had a job which involved faxing purchase orders to suppliers. When I first started, the process was:
- Print batch of purchase orders.
- Go to accounting department. (I didn't have a fax machine on my desk.)
- Fax each purchase order individually.
This process consumed 2 to 3 hours of each of my days.COST: 2 to 3 hours employee time per day.
SAVINGS: $100 one-time cost of fax machine
Upper management greatly improved the situation when they donated a fax machine from their office for my desk...because it didn't meet their needs - it didn't automatically identify the sender in the page headers.
COST: 45 to 60 minutes employee time per day; plus additional 40 minutes of long-distance calling per day for the header page.
SAVINGS: $100 one-time cost of fax machine; 2 to 2-1/4 hours employee time per day.
Although it saved the daily trip to the accounting office, faxing now required a header page identifying where the fax was coming from. At least I could be mostly-productive while doing the mindless hours of fax work.
Eventually, we did end up with a fax modem which was connected directly to the mainframe which saved even more time.
COST: $300 for the fax modem; software written in-house in about an hour
SAVINGS: 2 to 3 hours of employee time per day
Queue batch of purchase orders.
Time is money - even if it is 15 minutes.
...because something even more invasive would be put in its place. The Devil that ya know, and all that.
We don't even need to pass new laws to restrict the use of the SSN, because we already have them. It's not supposed to be used for any identification purpose other than actual Social Security.
Once again, the problem is not lack of laws. It's lack of enforcement. (Look at Bush and Kenny Boy, and tell me if you're surprised.)
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
We use a shredding company to do our work as well. The papers are put into a loosely locked box and picked up monthly.
The man who picks ours up is a toy short of a happy meal. He rarely says more than an incoherent mumble or two. Something usually about the damn lock on the door (I share his frustration).
We started using them after we shred about 5000 pounds of confidential data. I filled 12 large bins that they provided for us. These were probably 3.5 feet tall and large enough for at least two of my fat asses to fit inside easily.
Why do we use them? Because it would take me two or three days to destroy a single box of paper records that we have. I don't have time for that.
It's something like $500 for 5000 pounds. You do the math... Pay an employee $15/hr to shred documents for 3 days ($15 x 8) x 3 or $500 for 5000 pounds.
What about idiot colleges who require are not allowed (legally) to request your social security number, but anyone can ask for your "student ID" which is coincidently the same?
(all sarcasm aside, really what could one do?)
And there lies the answer. You don't have to perfectly destroy the papers. Just make it cost more to get the data than the data's worth. Even the most basic methods (straight shredder) will deter most thieves. Unless you're being specifically targeted, there's always the idiot down the street (or next door) that's an easier target.
It seems to me that the problem is a social one, not a technological one, and therefore we should be looking for solutions in the social domain.
..... usually official letters such as gas / electricity statements and bank statements for your address, and a passport or driving licence for your signature and photo. If you join a video club, for example, you might have to produce two bills and a signature, and you'll get a card which is only good for renting videos; there is no information on the video card that links it back to the papers you submitted. Of course you could mug someone on their way to or from joining a video club and get their papers that way, but if you already knew what they were about to do you probably already know enough about them.
..... but it's recognised that the name and address aren't enough, so other documents are also usually required. {And if, say, my electric bill shows I paid 10 last Saturday, they might want to see my payment card and make sure the account number matches.} Most places also require a signature, and you may even be required to sign the form in front of them. It does take skill to forge signatures with an audience ..... I could do a very convincing one of my last-but-one boss's, but nowhere near as quickly as he could.
..... there is a published part known to everybody, a secret part known only to one individual and a mathematical relationship that makes it difficult to determine the secret part from the published part. If I just send you ajs318's public key, that doesn't prove I am ajs318. If I sign something with ajs318's secret key, and you can recover it with ajs318's public key, then that at least proves I know ajs318's secret key, and there's a better chance that I might actually be ajs318. It seems to me that the SSN {which identifies without authentiation} is being misused.
Somebody who knows me is better qualified to say "That is the real ajs318" {or not} than some piece of machinery ever will be. A human being can check subtle things like signatures far more reliably than a machine. But the corporate mentality seems to be far too trusting of machines and far too distrustful of human beings. It's well known that humans make mistakes, but who designed and built the machines?
In Britain, we have a National Insurance Number as a unique per-person identifier, but it is only used for taxation purposes. Also, your employer is responsible for stopping your tax right out of your wages before you ever see them, making it physically impossible for the working classes to commit tax fraud.
With no national identity card, anyone requiring ID has to seek it from multiple sources
Now, your name and address are published in the telephone directory. So places insist on official letters. Of course these could be forged
It seems the problem in the USA is that the social security number {which uniquely identifies a person} is treated as though it were a secret, unknown to any entity beyond the person it identifies. That clearly is not the case. Look at how PGP works
The other thing is, when you go into somewhere like a newsagent's shop, you are recognised by the regular staff there. {Kids in my old village used to shoplift from the local newsagents' once at most. The items they took got added onto their parents' slate.} The point is, the main identity used in that situation is the person themself, which is hard to forge. In a large impersonal supermarket, there is less potential for recognition, so if you pay by payment card or credit card then they require a signature {though trials are underway where the shopper will merely have to enter a 4-digit PIN, thus relieving the cashier of the responsibility to check a signature and not at all paving the way for brand new opportunities in crime}; on the Internet, none at all.
If you want security, stick with old fashioned pound notes, because they can only steal as many of those as you actually have. And, until they get RFID in money, it's untraceable. You can't look at a 20 note and see it was won in a poker game, for instance.
Je fume. Tu fumes. Nous fûmes!